Together with Ping Identity, PEXA has introduced multi-factor authentication (MFA) to provide an extra layer of security when logging in to your account. This new login process introduces a new-look log in screen and requires you to protect your account with both your password and a one-time passcode – either via the PingID app or SMS.

Once implemented, you will only be required to provide a one-time passcode (OTP) once every 12 hours per device. If you subsequently log in to PEXA in that 12-hour period using a different browser or on a different device, you will be asked to enter a new OTP.

This post will continue be updated to include your frequently asked questions.

Multi-factor authentication (MFA) is a security measure that requires someone to provide two or more types of evidence to verify their identity when logging in to an account or completing a transaction. Evidence types are categorised into something you know (e.g. password), something you have (e.g. bank card) and something you are (biometrics).

Example

There are two authentication methods at play when you withdraw cash from an ATM - you are required to provide both your card (something you have) and your PIN number (something you know).

When logging in to the PEXA platform, members will be required to provide their user name and password as well as a one-time passcode sent to their mobile phone – either via the PingID app or SMS.

In the same way that a digital certificate token and accompanying PIN are used to verify the identity of a digital signer to authorise a PEXA transaction, the one-time passcode sent to your mobile phone via SMS/PingID app will be used to verify your identity when logging in to PEXA.

When logging in to the PEXA platform, members will be required to provide their username and password as well as a one-time passcode sent to their mobile phone – either via the PingID app or SMS. View our set-up guides and videos for further information on getting started.

PEXA has updated its Security Policy to require all Representative Subscriber users to use multi-factor authentication, unless PEXA grants a waiver from this requirement. Waivers will only be granted where the risk of fraud is deemed to be mitigated following an evaluation of the Subscriber's security framework.

It’s important to note that funds cannot be misdirected unless you physically sign off on the fraudulent account details using your bespoke digital certificate and accompanying password so we encourage all members to check the details you’re signing off on prior to applying your digital certificate and password.

No! A PEXA employee will never call you to ask for your PingID/one-time passcode. If you receive a call of this nature, do not provide these details and report it immediately to security@pexa.com.au. PEXA uses established security questions to verify your identity over the phone.

We have a dedicated Online Security group on the e-Conveyancing Community for PEXA members interested in keeping up-to-date on the world of cyber-security. Joining the group will give you the opportunity to stay on top of PEXA security updates, receive helpful hints and tips for staying safe online and ask questions to your Community peers and the PEXA security team.

Yes. The PingID app authentication method requires a smartphone. However, if you don't have a smartphone, you can use SMS authentication on a mobile phone. View our set-up guide and video for further information on getting started.

If you have set up the PingID app you will need to unpair your device before repairing to your new PEXA account. To unpair your device, click on the settings cog within the app and select 'unpair device'. You will then need to follow the set-up instructions the first time you log in to your new PEXA account.

If you have set up the SMS authentication method, you will need to call Support on 1300 084 515 to pair your number with your new account.

If you have set up the PingID app you will need to unpair your device before repairing to your new PEXA account. To unpair your device, click on the settings cog within the app and select 'unpair device'. You will then need to follow the set-up instructions the first time you log in to your new PEXA account.

If you have set up the SMS authentication method, you will need to call Support on 1300 084 515 to pair your number with your new account.

If you can't download the PingID app, you can use SMS authentication as an alternative. If you land on the Finish Pairing PingID screen but do not have the app, click 'Start Over' to return to the set-up screen.

Unpairing your device via the PingID app means your phone is no longer connected to your PEXA credentials. You will not be able to log in to your PEXA Workspace without pairing your device. Alternatively, you can use SMS authentication.

If you are overseas and have roaming turned on, you can still receive text messages to the Australian phone number you used to set up multi-factor authentication. It is often free to receive a text message but we advise you to check this with your provider.

If you are unsure whether you will be able to receive text messages whilst abroad, we recommend that you switch to the PingID app authentication method prior to travelling overseas. To do so, you'll first need to call Support on 1300 084 515. Following security checks, a member of the PEXA Support team will disable your SMS authentication. The next time you log on to PEXA, you will be prompted to set up your preferred method of authentication. You can then set up the PingID app.

You will only be required to provide multi-factor authentication once every 12 hours per device. If you subsequently log in to PEXA in that 12-hour period using a different browser or on a different device, you will be asked to provide multi-factor authentication again.

Call Support on 1300 084 515 and, following security checks, a member of the PEXA Support team will temporarily disable your multi-factor authentication so that you can log in to PEXA using your username and password. Remember: funds cannot be misdirected unless a digital certificate holder physically signs off on the fraudulent account details using their bespoke digital certificate and accompanying password.

Call Support on 1300 084 515. Following security checks, a member of the PEXA Support team will disable multi-factor authentication on your stolen phone. You will temporarily be able to log in to PEXA using your username and password. You will need to set up multi-factor authentication on your new device.

Call Support on 1300 084 515. Following security checks, a member of the PEXA Support team will disable your SMS authentication. The next time you log on to PEXA, you will be prompted to set up your preferred method of authentication.

If you have the PingID app you can disable multi-factor authentication from your phone by unpairing it. To unpair the phone, log into the PingID app, select the settings cog in the top right-hand corner, select "Unpair device" and select "yes".

If you have SMS authentication call Support on 1300 084 515. Following security checks, a member of the PEXA Support team will disable your SMS authentication.

Important: PEXA has updated its Security Policy to require all Representative Subscriber users to have multi-factor authentication unless PEXA grants a waiver from this requirement. Users will not be able to access their PEXA accounts without multi-factor authentication enabled.

It is not currently possible for a Subscriber Manager/Administrator to view which of the users within their organisation has enabled multi-factor authentication. Contact Support on 1300 084 515 or support@pexa.com.au if you require this information.

If your question is not answered in the above FAQs, reply to this post and we will respond as soon as possible. Alternatively, you can contact your PEXA Direct Specialist/Account Manager or call Support on 1300 084 515.

Hi @Damonallens - you won't need to install anything on your desktop. For multi-factor authentication, each PEXA user will need to either provide a mobile phone number to set up SMS or download an app to your mobile phone.

Hmm not sure what you mean @DMc - MFA isn't my area but if you've downloaded the app, wouldn't you be using the app rather than your mobile's web browser? Or are you talking about the initial pairing of your device? If you're attempting to do that without first downloading the app, it won't work - not sure if that's what you're running into though?Last resort, there's always SMS. If you can't download the PingID app, you can use SMS authentication as an alternative.

Or.... are you talking about accessing PEXA via your mobile browser? I have a feeling this is a different URL, not currently in the MFA pilot - I'll check in with the team to confirm if this is the case though.

Both the API login and desktop browser still ask for PingID code to authenticate (on their first daily login-use),

Merely thought it strange that the mobile (first login of the day), did not... not complaining, merely assumed that PingID recognised browser access from the registered SMS mobile, but thought it best to check?!

Hi @LynMac, you may only use one authentication method. Either the PingID App or SMS on mobile phone, or where it is not possible to use your mobile phone for multi-factor authentication, the PingID application on your desktop.

@LynMac if you do happen to leave your phone at home, and are unable to go get it please call Support on 1300 084 515 and press 3 and, following security checks, a member of the PEXA Support team will temporarily disable your multi-factor authentication so that you can log in to PEXA using your username and password.